The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Louis Twomey <louis.twomey AT heanet.ie>]

Hi Guy,
Android < 7.1 does not allow more than one CA to be installed with a profile, 
so with those devices you have no way to cleanly migrate and you basically 
cut them off when you switch to the new server cert.

Regards,
Louis
-------
Louis Twomey
Technical Architect
PGP key: C77D9256
HEAnet CLG, Ireland’s National Education and Research Network
1st Floor, 5 George’s Dock, IFSC, Dublin D01 X8N7, Ireland
+353 (0)1 6609040   louis.twomey AT heanet.ie  www.heanet.ie
Registered in Ireland, No. 275301.  CRA No. 20036270







> On 15 Oct 2021, at 10:55, Paul Dekkers <paul.dekkers AT surf.nl> wrote:
> 
> 
> CAUTION[External]: This email originated from outside of the organisation. 
> Do not click on links or open the attachments unless you recognise the 
> sender and know the content is safe.
> 
> 
> Hi,
> 
> On 15/10/2021 10:40, Guy Halse wrote:
>> Hi
>> 
>> We have an IdP that wants to roll over the certification authority it uses 
>> and deploy on a new RADIUS instance. In this process, both the CA 
>> certificate and the CN used for validation will necessarily change.
>> 
>> The CAT web application supports adding both multiple root certs and 
>> multiple subject CNs into a profile, which means it's possible to generate 
>> a profile that theoretically covers both the old and new infrastructure. 
>> This looks to be the way to mimise the end-user impact of rolling over, 
>> since users can be asked to re-install from CAT prior to the migration 
>> with the assurance then they'll work in both scenarios without 
>> interruption.
>> 
>> However, I seem to remember there were platform-specific limitations on 
>> how that works in practice. The platforms they're most interested in are 
>> Windows 10, Android, and iPhone -- and for some reason I seem to remember 
>> this being broken on Android?
> That is true for the old eduroam CAT App I believe, but geteduroam supports 
> multiple CAs just fine. So I can myself actually only speak for geteduroam; 
> but there I don't see this as an issue. (Also the Windows geteduroam App 
> installs multiple CAs, and I believe the CAT installer does as well.)
> 
> The proof of the pudding, ... ;-) if you have older devices that need the 
> old CAT app, that may be an issue.
> 
>> Does it help to issue a cert with a SubjectAlternativeName matching the 
>> old CN used for validation? (I'm not sure that's actually possible in this 
>> case, but it was a thought I had.)
> I don't think this is necessary per se, but it's better not to change it 
> too much, for some platforms will fall back to a "matching substring". But 
> that's also the more legacy Android types,
>> Does anyone have experience with this sort of roll-over who can offer 
>> advice one what does and doesn't work? Or better yet, point me at 
>> documentation?
> I do like Jan-Frederik comments/experiences too. The part I described is 
> only ... well, part of the story. The rest is getting people to migrate. 
> (Of course the tric with anonymous usernames may trigger the anonymous 
> username bugs; it may be safer if you prefix with anon also, so anon2021 
> may be better, I forgot the entire logic that worked or didn't work.)
> 
> Regards,
> Paul
> 
> 
>> 
>> 
> To unsubscribe, send this message: 
> mailto:sympa AT lists.geant.org?subject=unsubscribe%20cat-users
> Or use the following link: 
> https://lists.geant.org/sympa/sigrequest/cat-users